-
Notifications
You must be signed in to change notification settings - Fork 0
158 lines (135 loc) · 3.72 KB
/
release.yml
File metadata and controls
158 lines (135 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
id-token: write
jobs:
verify:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Vet
run: go vet ./...
- name: Test
run: go test ./...
- name: Lint
uses: golangci/golangci-lint-action@v7
with:
version: v2.8.0
build-artifacts:
needs: verify
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- goos: linux
goarch: amd64
ext: ""
- goos: linux
goarch: arm64
ext: ""
- goos: darwin
goarch: amd64
ext: ""
- goos: darwin
goarch: arm64
ext: ""
- goos: windows
goarch: amd64
ext: ".exe"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build binary
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
CGO_ENABLED: 0
run: |
mkdir -p dist
output="dist/conf-${GOOS}-${GOARCH}${{ matrix.ext }}"
go build -trimpath -ldflags "-s -w -X github.com/rgonek/confluence-markdown-sync/cmd.Version=${{ github.ref_name }}" -o "$output" ./cmd/conf
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: conf-${{ matrix.goos }}-${{ matrix.goarch }}
path: dist/conf-${{ matrix.goos }}-${{ matrix.goarch }}${{ matrix.ext }}
package-release:
needs: build-artifacts
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
pattern: conf-*
path: dist
merge-multiple: true
- name: Generate checksums
run: |
cd dist
sha256sum conf-* > checksums.txt
- name: Install Syft
uses: anchore/actions/setup-syft@v0
- name: Generate SBOM files
run: |
for binary in dist/conf-*; do
syft "${binary}" -o spdx-json="${binary}.sbom.spdx.json"
done
- name: Vulnerability scan artifacts
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: fs
scan-ref: dist
format: table
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: '1'
- name: Install Cosign
uses: sigstore/cosign-installer@v3.8.1
- name: Sign checksums (keyless)
run: |
cosign sign-blob --yes \
--output-signature dist/checksums.txt.sig \
--output-certificate dist/checksums.txt.pem \
dist/checksums.txt
- name: Upload release bundle
uses: actions/upload-artifact@v4
with:
name: conf-release-bundle
path: |
dist/conf-*
dist/checksums.txt
dist/checksums.txt.sig
dist/checksums.txt.pem
publish:
needs: package-release
runs-on: ubuntu-latest
steps:
- name: Download release bundle
uses: actions/download-artifact@v4
with:
name: conf-release-bundle
path: dist
- name: Publish GitHub release assets
uses: softprops/action-gh-release@v2
with:
files: |
dist/conf-*
dist/checksums.txt
dist/checksums.txt.sig
dist/checksums.txt.pem